Scam to Obtain PHI Involves Impersonating OCR Investigators

Although most social engineering and phishing attacks come about through email, social engineering strategies are likewise employed to persuade people to disclose sensitive data through other channels of communication, such as the telephone. There is one such campaign now being carried out through the telephone to persuade healthcare workers to reveal protected health information (PHI).

A person professing to be an investigator from the HHS’ Office for Civil Rights is contacting healthcare providers to get the protected health information of patients. The fraudulent act caused OCR to release a warning to healthcare organizations last weekend. The caller does not give any information which could be used to confirm the legitimacy of the phone call such as an OCR compliant transaction number.

OCR has advised healthcare organizations and business associates to give their workforce heightened information about the scam and to give facts on the right course of action to undertake in the event of receiving such a call.

Healthcare workers need to confirm the identity of any unknown caller asking for PHI. In case of receiving a call from a person professing to be an investigator from OCR, healthcare workers ought to require his/her email address and ask for a written confirmation of the request to be sent through email from the hhs.gov email account of the OCR investigator. All OCR personnel possess an email address with @hhv.gov.

In case of receiving an email, verifications should be made to validate the official @hhs.gov email account used to send the email message to be sure that the email address was not spoofed.

OCR has given instructions to forward any questions or issues to OCR through email – OCRMail@hhs.gov – and to report any suspected incidents of impersonation of OCR employees to the Federal Bureau of Investigation (FBI).